Service Control Policies
Last updated
Last updated
Policy documents (JSON) used to set permission boundaries for AWS accounts within an organization.
Do NOT grant permissions, only restrict what actions can be performed.
Even apply to the root user of an account.
Root of the organization β affects all accounts in the org.
Organizational Unit (OU) β affects:
Accounts in the OU.
All nested OUs and accounts beneath it.
Individual AWS Accounts β affects only those accounts.
SCPs inherit down the organization tree.
Attach at root β impacts entire organization.
Attach to OU β impacts that OU and all children (accounts + nested OUs).
Attach to account β impacts just that one account.
SCPs do NOT apply to the management account, even if attached.
The management account is exempt from all SCP restrictions.
Define maximum permissions an account can have.
Must work with IAM policies (IAM grants, SCP limits).
Think of SCPs as a fenceβthey set the outer boundary for whatβs allowed.